2 factor authentication

Answered Question
Apr 15th, 2010

I'd like to implement 2 factor authentication using radius along with an internal CA.  The idea is everyone connecting to vpn belong to a group and have a certificate obtained by an internal CA.  I though mutual group authentication might be the answer, but am not sure.  I tried it, I installed a CA cert and Idnentity cert, but when trying to use the vpn client and mutual group authentication the client I can't connect.  The ASA reports "removing peer...no match".  On the PC I'm using to test, I've installed both a user certificate and root certificate from the CA.

I saw some notes that pointed toward using 2 factor authentication on SSL VPNs, but am not sure that's what I want.  I currently have SSL VPN in place to allow users who don't have a client get connected, typically machines that would never see the internal network and be able to obtain a certificate from an active directory integrated CA.  Is what I'm trying possible?

thank you,

Bill

Correct Answer by Jennifer Halim about 6 years 10 months ago

Here is a sample configuration on ipsec vpn client with certificate authentication, and from the example, it uses ASA local database for the extended authentication, but you can always configure aaa radius server, and assigned the radius server to the policy:

http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a0080930f21.shtml

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
WILLIAM STEGMAN Fri, 04/16/2010 - 06:51

Thank you.  One thing I'm concerned about with this approach is that the instructions ask to load  certificate based on the user account vpnuser.  This looks like if I were to use radius and active directory, that I would have to repeat this step for every active directory user.  Is that your understanding of this note?

Jennifer Halim Fri, 04/16/2010 - 07:02

Of course, if you would like to use certificate as authentication, each user should have his/her unique certificate. Every user should get their own certificate for the authentication. You can not just use 1 certificate for 50 users for example.

That is the reason why certificate is more secure than pre-shared-key authentication.

WILLIAM STEGMAN Fri, 04/16/2010 - 07:38

I think I understand.  I got the CA cert and Identity cert loaded on to the ASA, and will not have to load any more certificates on it.  The way the instructions read led me to believe I had to go through the process for each user, but I don't think that's the case.  Now that I've done it, I get a syslog error

3    Apr 16 2010    10:14:05    713902                    IP = 74.92.84.70, Removing peer from peer table failed, no match!

3    Apr 16 2010    10:14:00    713048                    IP = 74.92.84.70, Error processing payload: Payload ID: 1

which seems to indicate an IKE issue, but that could only be that the certificates are not correct.  I've went through the process twice following the not, the only discrepancy I saw was that my cert request had IPSEC (Offline Request) template instead of just IPSEC.

Jennifer Halim Fri, 04/16/2010 - 07:43

I assume you have also loaded the certificate on the vpn client? and the ISAKMP policy for authentication is rsa-sig?

What CA server are you using? Have you also loaded both root and identity certificate on the vpn client?

WILLIAM STEGMAN Fri, 04/16/2010 - 07:51

I loaded two certs on the vpn client as the instructions outlined and I loaded both the identity and ca certs on the ASA.  Here's part of the config.

BG-ASA# sh crypto ca certificates
Certificate
  Status: Available
  Certificate Serial Number: 55c5b654000000000069
  Certificate Usage: General Purpose
  Public Key Type: RSA (1024 bits)
  Issuer Name:
    cn=insurance
    dc=insurance
    dc=bisys
    dc=org
  Subject Name:
    cn=hbgvpn.crumplifeinsurance.com
    ou=IT
    o=Crump
    l=Harrisburg
    st=PA
    c=US
    hostname=hbgvpn.crumplifeinsurance.com
  CRL Distribution Points:
    [1]  ldap:///CN=insurance,CN=HBG-CA,CN=CDP,CN=Public%20Key%20Services,CN=Services,CN=Configuration,DC=bisys,DC=org?certificateRevocationList?base?objectClass=cRLDistributionPoint
    [2]  http://hbg-ca.insurance.bisys.org/CertEnroll/insurance.crl
  Validity Date:
    start date: 09:46:00 EDT Apr 16 2010
    end   date: 09:46:00 EDT Apr 15 2012
  Associated Trustpoints: ASDM_TrustPoint0

CA Certificate
  Status: Available
  Certificate Serial Number: 34f3c7aa043edc804634907b076c64ed
  Certificate Usage: Signature
  Public Key Type: RSA (2048 bits)
  Issuer Name:
    cn=insurance
    dc=insurance
    dc=bisys
    dc=org
  Subject Name:
    cn=insurance
    dc=insurance
    dc=bisys
    dc=org
  CRL Distribution Points:
    [1]  ldap:///CN=insurance,CN=HBG-CA,CN=CDP,CN=Public%20Key%20Services,CN=Services,CN=Configuration,DC=bisys,DC=org?certificateRevocationList?base?objectClass=cRLDistributionPoint
    [2]  http://hbg-ca.insurance.bisys.org/CertEnroll/insurance.crl
  Validity Date:
    start date: 11:28:52 EDT Jun 27 2008
    end   date: 11:38:38 EDT Jun 27 2018
  Associated Trustpoints: ASDM_TrustPoint1

tunnel-group 2factor-VPN type remote-access
tunnel-group 2factor-VPN general-attributes
authentication-server-group VPN
default-group-policy 2factor-auth
tunnel-group 2factor-VPN webvpn-attributes
authentication aaa certificate
group-alias 2factor-SSL enable
tunnel-group 2factor-VPN ipsec-attributes
trust-point ASDM_TrustPoint0

Jennifer Halim Fri, 04/16/2010 - 07:56

What about your crypto map? Have you also added the "crypto map set trustpoint ASDM_TrustPoint0"?

Oh and btw, your identify cert is on trustpoint ASDM_TrustPoint0, but your CA (root) cert is on trustpoint ASDM_TrustPoint1.

You would need to authenticate your root CA on trustpoint ASDM_TrustPoint0

WILLIAM STEGMAN Fri, 04/16/2010 - 08:03

so I added the crypto map set trustpoint ASDM_TrustPoint0 command, it read the entry is incomplete though, as if it were expecting a match clause.  Besides that, do you mean I should delete the CA cert ASDM_TrustPoint1 and add another CA cert with an associated trustpoint as ASDM_TrustPoint0 to match the Identify cert?

Jennifer Halim Fri, 04/16/2010 - 15:55

Both CA (root) and identity certificate should belong to the same trustpoint. Currently you have CA root certificate on ASDM_TrustPoint1 and the identity on ASDM_TrustPoint0, so they belong to 2 different trustpoints.

If you check the configuration guide, both certificates belong to 1 trustpoint, ie: CA1.

So in your case, just upload the CA root certificate as follows:

crypto ca authenticate ASDM_TrustPoint0

Actions

This Discussion